New Ransomware dubbed ‘Bad Rabbit’ used NSA’s EternalRomance Exploit

(Last Updated On: 7th November 2017)

Reading time ~10min


Earlier last week, a newly identified ransomware affected several computer systems around Europe.

The new strain of ransomware dubbed as ‘Bad Rabbit’ spreading primarily in Russia, Ukraine, Turkey, and Germany is utilising one of the leaked NSA’s exploits leaked by WikiLeaks earlier this year. According to several malware researchers and subsequent analysis, an NSA exploit (EternalRomance) was used to distribute itself and move across the network.

Cybersecurity firm Kaspersky Lab was monitoring the malware and compared it to the WannaCry and Petya attacks that caused so much chaos earlier this year.

Despite early reports that there was no use of  NSA’s exploits in this week’s crypto-ransomware outbreak, research released by Cisco Talos suggested that the ransomware worm known as ‘Bad Rabbit’ did, in fact, use a stolen Equation Group exploit revealed by Shadowbrokers to spread across victims’ networks. The attackers used the EternalRomance-like exploit to bypass the security mechanisms but there were no signs of the DoublePulsar backdoor or any shellcode that takes advantage of the Server Message Block (SMB) file-sharing also known a Common Internet File System (CIFS) operating on the application-layer network protocol. This enables the remote execution of instructions on Windows clients and servers.  BadRabbit closely follows an open-source Python implementation of a Windows exploit (MS17-010) that used EternalRomance (and another Equation Group tool, EternalSynergy), leveraging the same methods revealed in the Shadowbrokers code release. ExPetr/NotPetya was also leveraging this exploit.

Key Points of Bad Rabbit

  • Affects Windows OS.
  • Distributes through a fake Adobe Flash Update (install_flash_player.exe) that requires confirmation by the user.
  • Attempts to distribute itself via SMB and WMIC.
  • Binary similarities with ExPetr/NotPetya.
  • Uses compromised websites to deliver dropper (drive-by download).
  • Infpub.dat is the main DLL file, cscc.dat is the legitimate file used for disk encryption and dispci.exe which installs boot-locker and communicates with the driver.
  • Executable dispci.exe uses legitimate disk encryption module from DiskCryptor.
  • Doesn’t delete Shadow Copies.

Bad Rabbit vs Petya (ExPetr, NotPetya etc.)

Below is a comparison Table between Petya and BadRabbit malware families:

Once the victim is infected by Bad Rabbit ransomware, victim’s traffic is directed to a Tor-hidden website where a ransom of 0.05 Bitcoin (~ £220) is demanded to decrypt victim’s data. If the ransom is not paid within approximately 42 hours, the cost of decrypting your data is increased to a further. The ransom message, a red font on a black background, appears to be very similar to the one used in the NotPetya attacks earlier this June.

NotPetya was targeting primarily Russia and Ukraine with the vast majority of infections occurring in Ukraine, but some big names in the West had also suffered. International advertising conglomerate WPP was taken offline, global law firm DLA Piper was infected, pharmaceutical Merck was busted up, and, most worryingly, shipping behemoth Maersk warning of a worldwide outage that could seriously bork the global transport supply chain. Computer terminals in major ports were down for hours by the malware.

According to Kaspersky Labs initial analysis, “No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. We’ve detected a number of compromised websites, all of which were news or media websites“.

On the other hand, ESET security researchers, have detected Bad Rabbit ransomware threat as “Win32/Diskcoder.D” which is a new variant of the Petya malware family. Petya malware variant is also known as Petrwrap, NotPetya, exPetr and GoldenEye.

Analysis & Propagation Mechanisms

Initially, a malicious website delivering the payload via a fake Adobe Flash Update executable to the user was taken down after approximately 6 hours. The main infection vector now appears to be via a number of compromised websites (see below for IOCs) that serve the malicious install_flash_player.exe file (drive-by download attack) unlike Petya that its infection vector was based on supply chain attacks (i.e. word documents). The Adobe Flash download has been installed on those compromised websites using a JavaScript snippet injected into the HTML or the Java files of the affected websites.

Looking at the downloaded file named install_flash_player.exe, we can see that the digital signatures are being signed by the Symantec Corporation and not Adobe Systems Incorporated as a legitimate flash player executable. Nowadays, this is done by malware authors to avoid AntiVirus systems from detecting malware threats while also attempting to bypass any security mechanisms. Malware authors do not even need to control a code signing certificate. Instead, they simply copy an Authenticode signature from a legitimate file to their malware sample.

The downloaded file named install_flash_player.exe needs to be manually launched by the user. Bad Rabbit ransomware needs elevated administrative privileges and therefore will attempt to obtain using the standard User Account Control (UAC) prompt as per below. UAC is NOT turned off by default on Windows to avoid such risks. However, if you have turned off UAC then it will run without seeing the UAC prompt. Other types of malware might disable HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System by setting the value of EnableLUA to 0 to bypass such mechanisms.

After the install_flash_player.exe is executed, it will save the malicious DLL as C:\Windows\infpub.dat and launch it using rundll32.

Infpub.dat appears to be capable of brute-forcing NTLM login credentials to Windows machines that have pseudo-random IP addresses. It’s worth mentioning that the default Windows Authentication protocol nowadays is Kerberos, however, if that default authentication fails, Windows will use NTLM challenge/response mechanism instead. NT LAN Manager is the default authentication protocol used in Windows NT and in Windows 2000 workgroup environments. Windows Server 2003, Windows XP, and Windows 2000 use an algorithm called Negotiate (SPNEGO) to negotiate which authentication protocol is used.

Infpub.dat will also install the malicious executable dispci.exe into C:\Windows and will schedule a task as NotPetya did before that will reboot the system once the infection and compromise phases complete. This will also allow persistence when communicating with the driver for encryption. It will then act as a typical file-encrypting ransomware by finding victim’s data files using an embedded extension list and encrypts them using the criminal’s public RSA-2048 key. The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor. It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine.

Bad Rabbit ransomware threat has capabilities of moving laterally across a network and is capable of brute-forcing NTLM login credentials. It comes with a predefined hardcoded credential list and Mimikatz.

Bad Rabbit bears similarities to the WannaCry and Petya outbreaks earlier this year as illustrated above. It has spread like a wildfire around Europe and has already affected over 200 major organisations, primarily in Russia, Ukraine, Bulgaria, Turkey, and Germany.

According to ESET’s telemetry, Russia accounts 65% of the total number of times we have seen the dropper component of Bad Rabbit ransomware threat (numbers will most likely increase as we go forward). The statistics are as follows:

Russia: 65%
Ukraine: 12.2%
Bulgaria: 10.2%
Turkey: 6.4%
Japan: 3.8%
Other: 2.4%

The following indicators are associated with this incident:

Primary IOCs

SHA-1: 79116fe99f2b421c52ef64097f0f39b815b20907
MD5: 1d724f95c61f1055f0d02c2154bbccd3
Filename: infpub.dat
Description: Diskcoder


SHA-1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
MD5: b14d8faf7f0cbcfad051cefe5f39645f
Filename: dispci.exe
Description: Lockscreen


SHA-1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
MD5: bdc39af1139aebba4da004475e8839
Filename: install_flash_player.exe
Description: Dropper


SHA-1: 413eba3973a15c1a6429d9f170f3e8287f98c21c
Description: Mimikatz (32-bit)


SHA-1: 16605a4a29a101208457c47ebfde788487be788d
Description: Mimikatz (64-bit)


SHA-1: 4f61e154230a64902ae035434690bf2b96b4e018
Filename: page-main.js
Description:JavaScript running on compromised sites


Payment site: http://caforssztxqzf2nm[.]onion
Inject URL: http://185.149.120[.]3/scholargoogle/
Distribution URL: hxxp://1dnscontrol[.]com/flash_install.php


Compromised sites:

hxxp://argumentiru[.]com
hxxp://www.fontanka[.]ru
hxxp://grupovo[.]bg
hxxp://www.sinematurk[.]com
hxxp://www.aica.co[.]jp
hxxp://spbvoditel[.]ru
hxxp://argumenti[.]ru
hxxp://www.mediaport[.]ua
hxxp://blog.fontanka[.]ru
hxxp://an-crimea[.]ru
hxxp://www.t.ks[.]ua
hxxp://most-dnepr[.]info
hxxp://osvitaportal.com[.]ua
hxxp://www.otbrana[.]com
hxxp://calendar.fontanka[.]ru
hxxp://www.grupovo[.]bg
hxxp://www.pensionhotel[.]cz
hxxp://www.online812[.]ru
hxxp://www.imer[.]ro
hxxp://novayagazeta.spb[.]ru
hxxp://i24.com[.]ua
hxxp://bg.pensionhotel[.]com
hxxp://ankerch-crimea[.]ru

Additional Domains associated with Bad Rabbit (i.e. compromised site, C2):

hxxp://fastmonitor1[.]net
hxxp://fastmonitor2[.]net
hxxp://fastprotect1[.]net
hxxp://openmonitor3[.]net
hxxp://safecheck1[.]net
hxxp://secure-dns1[.]net
hxxp://webcheck01[.]net
hxxp://webcontrol1[.]net
hxxp://webdefense1[.]net
hxxp://buycialisovernightdeliverybct[.]accountant
hxxp://buygenericviagratgs[.]accountant
hxxp://buyviagraonlineovernightshipping[.]accountant
hxxp://cheapviagraonlinenextdaydelivery[.]accountant
hxxp://cheapviagraonlineotherthecounter[.]accountant
hxxp://discountviagrafds[.]accountant
hxxp://testdomainsrobotstxt[.]biz
hxxp://100mgviagrars[.]com
hxxp://approvedpharmacyqls[.]com
hxxp://approvedpharmacytpc[.]com
hxxp://approvedpharmacyvlt[.]com
hxxp://approvedpharmacyvnx[.]com
hxxp://approvedpharmacyvnx-secured[.]com
hxxp://buyviagrawsh[.]com
hxxp://carshuz[.]com
hxxp://cheapviagraonlinejcm[.]com
hxxp://firewebmail[.]com
hxxp://genericpharmacyfvk[.]com
hxxp://genericpharmacyjmg[.]com
hxxp://genericpharmacyqrh[.]com
hxxp://genericpharmacyrts[.]com
hxxp://genericviagraonlinedifferentdosage[.]com
hxxp://genericviagraonlinevxp[.]com
hxxp://onlinepharmacybmt[.]com
hxxp://onlinepharmacydpn[.]com
hxxp://onlinepharmacydpn-secured[.]com
hxxp://onlinepharmacyjrs[.]com
hxxp://onlinepharmacysdn[.]com
hxxp://onlinepharmacysvr[.]com
hxxp://overnightviagrast[.]com
hxxp://sildenafildfp[.]com
hxxp://testdomainsrobotstxt[.]com
hxxp://trustedpharmacydlt[.]com
hxxp://viagracanadaonlinesbn[.]com
hxxp://viagradsx[.]com
hxxp://viagraforsalehjt[.]com
hxxp://viagranorx-usa[.]com
hxxp://viagraonlinedsq[.]com
hxxp://viagraonlinewithoutprescriptioncma[.]com
hxxp://viagrapillsfsp[.]com
hxxp://secureinbox[.]email
hxxp://buypillsonlineforsalegeneric[.]men
hxxp://cheapgenerictadalafilonlineforsale[.]men
hxxp://generictabsonlinecheapestprice[.]men
hxxp://cheap-trusted-pharmacy[.]org
hxxp://firstonlinestore[.]org
hxxp://reliableonlinestore[.]org
hxxp://multiplesclerosisnervousdisease[.]science
hxxp://ulcerativecolitisautoimmunedisease[.]science
hxxp://jackpurcellbooks[.]us
hxxp://trustedpaydayloans[.]us

Secondary IOCs

MD5: fbbdc39af1139aebba4da004475e8839
MD5: 098c323b1a59bcf15c1feb8055e58931
MD5: 9cc3629beb9d1f37932d860de2e3a4f5
MD5: 4e5d61b2bd73632f0225e39a2e2c5144
MD5: 256c5e23a9ad8a276128f84017b2d79d
MD5: 26cd68101ade4e5f70ab3cd5f35e0ad5

File Recovery

Initially, DO NOT PAY THE RANSOM!

The encryption scheme being utilised by the ransomware is a typical  AES-128 CBC mode and RSA-2048 as the criminal’s public key with an exponent of 65537. The exponent 65537 on RSA is often used for performance reasons during the encryption/verification phase as any higher exponent would make the public RSA operation much slower. The encryption and hashing algorithms used in BadRabbit appeared to be the same ones used in ExtPetr ransomware.

According to Kaspersky Labs, the full list of embedded hashes of the process names are the following:

Luckily, Bad Rabbit is not a wiper as with the ExtPetr/NotPetya that victims were unable to decrypt the Master File Table (MFT) that was initially encrypted with the GoldenEye ransomware family component. Unfortunately, user’s that are affected by Bad Rabbit ransomware, will be unable to decrypt their files without the threat actor’s RSA-2048 private key that is used since the symmetric encryption keys are securely generated on the ransomware side.

On the other hand, Kaspersky Labs has found a flaw in the code of dispci.exe. The malware doesn’t wipe the generated password from the memory, which means that there is a slim chance to extract it before the dispci.exe process terminates if you haven’t rebooted your machine.

Finally, it appeared that shadow copies (aka Volume Snapshot Service) are not being deleted by the ransomware during and after encryption. Therefore, if you had enabled and configured the volume shadow copy option on your Windows volumes, you might be lucky enough to get back your encrypted files.

Countermeasures

Disable WMI service to prevent malware spread over the network, block execution of files such as C:\Windows\infpub.dat, C:\Windows\cscc.dat. Ensure you stay vigilant when opening unsolicited emails containing documents or clicking on embedded links as they will also be copycat style attacks out there.

Consider creating the dropped files infpub.dat and cscc.dat in C:\Windows\ path with modified permissions to prevent the ransomware from executing.

Monitor/block as necessary from the above-mentioned Primary and Secondary IOC list.


Note: The section is updated at regular intervals* with relevant information needed to provide you further countermeasures so as to limit and prevent any exposure to this threat as much as possible.

* You can check the (Last Updated On: “Date”) at the beginning of the post to see when the post was last updated.

If you have any questions, comments, corrections, or suggestions for improvement, please don’t hesitate to leave us some feedback in the Comments section below.

References:

[1] Bad Rabbit ransomware: https://securelist.com/bad-rabbit-ransomware/82851/

[2] Bad Rabbit: Not-Petya is back with improved ransomware: https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/